diff --git a/ANNOUNCE b/ANNOUNCE
index 5b542933e..d16bf333b 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE
@@ -84,6 +84,7 @@ Version 1.5.14rc02 [January 17, 2013]
   Revised test for validity of "num_unknowns" to eliminate compiler warnings.
 
 Version 1.5.14rc03 [January 17, 2013]
+  Check validity of "nentries" parameter of png_set_sPLT().
 
   ===========================================================================
                        NOTICE November 17, 2012:
diff --git a/CHANGES b/CHANGES
index 334b81fea..4c2d767a8 100644
--- a/CHANGES
+++ b/CHANGES
@@ -3977,6 +3977,7 @@ Version 1.5.14rc02 [January 17, 2013]
   Revised test for validity of "num_unknowns" to eliminate compiler warnings.
 
 Version 1.5.14rc03 [January 17, 2013]
+  Check validity of "nentries" parameter of png_set_sPLT().
 
   ===========================================================================
                        NOTICE November 17, 2012:
diff --git a/pngset.c b/pngset.c
index f6efc7dd1..1467690a7 100644
--- a/pngset.c
+++ b/pngset.c
@@ -969,9 +969,18 @@ png_set_sPLT(png_structp png_ptr,
    if (png_ptr == NULL || info_ptr == NULL)
       return;
 
-   np = (png_sPLT_tp)png_malloc_warn(png_ptr,
-       (info_ptr->splt_palettes_num + nentries) *
-       (png_size_t)png_sizeof(png_sPLT_t));
+   if (nentries < 0 ||
+       nentries > INT_MAX-info_ptr->splt_palettes_num ||
+       (unsigned int)/*SAFE*/(nentries +/*SAFE*/
+       info_ptr->splt_palettes_num) >=
+       PNG_SIZE_MAX/png_sizeof(png_sPLT_t))
+      np=NULL;
+
+   else
+
+      np = (png_sPLT_tp)png_malloc_warn(png_ptr,
+          (info_ptr->splt_palettes_num + nentries) *
+          (png_size_t)png_sizeof(png_sPLT_t));
 
    if (np == NULL)
    {